From ad4ba9423556d0fd54156e8d8343539a6e27044e Mon Sep 17 00:00:00 2001 From: Scott Little Date: Wed, 1 Aug 2018 14:21:59 -0400 Subject: [PATCH] Relocate haproxy to stx-integ/base/haproxy Move content from stx-gplv2 into stx-integ Packages will be relocated to stx-integ: base/ bash cgcs-users cluster-resource-agents dpkg haproxy libfdt netpbm rpm database/ mariadb filesystem/ iscsi-initiator-utils filesystem/drbd/ drbd-tools kernel/kernel-modules/ drbd integrity intel-e1000e intel-i40e intel-i40evf intel-ixgbe intel-ixgbevf qat17 tpmdd ldap/ ldapscripts networking/ iptables net-tools Change-Id: Ia0510ab3c8879bc0ebd15261db2edaa84b346f20 Story: 2002801 Task: 22687 Signed-off-by: Scott Little --- base/haproxy/PKG-INFO | 15 + base/haproxy/centos/build_srpm.data | 2 + ...te-package-versioning-for-TIS-format.patch | 27 ++ base/haproxy/centos/meta_patches/PATCH_ORDER | 7 + .../meta_patches/haproxy-service-file.patch | 26 ++ .../haproxy-spec-add-init-script.patch | 47 +++ .../meta_add_support_for_tpm.patch | 42 +++ .../meta_remove_bad_logrotate.patch | 40 +++ .../spec-add-haproxy-env-var-patch.patch | 32 ++ .../spec-include-TiS-config.patch | 58 ++++ base/haproxy/centos/srpm_path | 1 + base/haproxy/haproxy/503.http | 9 + base/haproxy/haproxy/haproxy-env-var.patch | 245 ++++++++++++++ .../haproxy/haproxy/haproxy-tpm-support.patch | 319 ++++++++++++++++++ base/haproxy/haproxy/haproxy.cfg | 80 +++++ base/haproxy/haproxy/haproxy.sh | 120 +++++++ centos_pkg_dirs | 1 + 17 files changed, 1071 insertions(+) create mode 100644 base/haproxy/PKG-INFO create mode 100644 base/haproxy/centos/build_srpm.data create mode 100644 base/haproxy/centos/meta_patches/0001-Update-package-versioning-for-TIS-format.patch create mode 100644 base/haproxy/centos/meta_patches/PATCH_ORDER create mode 100644 base/haproxy/centos/meta_patches/haproxy-service-file.patch create mode 100644 base/haproxy/centos/meta_patches/haproxy-spec-add-init-script.patch create mode 100644 base/haproxy/centos/meta_patches/meta_add_support_for_tpm.patch create mode 100644 base/haproxy/centos/meta_patches/meta_remove_bad_logrotate.patch create mode 100644 base/haproxy/centos/meta_patches/spec-add-haproxy-env-var-patch.patch create mode 100644 base/haproxy/centos/meta_patches/spec-include-TiS-config.patch create mode 100644 base/haproxy/centos/srpm_path create mode 100644 base/haproxy/haproxy/503.http create mode 100644 base/haproxy/haproxy/haproxy-env-var.patch create mode 100644 base/haproxy/haproxy/haproxy-tpm-support.patch create mode 100755 base/haproxy/haproxy/haproxy.cfg create mode 100755 base/haproxy/haproxy/haproxy.sh diff --git a/base/haproxy/PKG-INFO b/base/haproxy/PKG-INFO new file mode 100644 index 000000000..2f1d821f9 --- /dev/null +++ b/base/haproxy/PKG-INFO @@ -0,0 +1,15 @@ +Metadata-Version: 1.1 +Name: haproxy +Version: 1.5.18 +Summary: Abstract asynchronous event notification library +Home-page: +Author: +Author-email: +License: GPLv2+ + +Description: +HAProxy is a TCP/HTTP reverse proxy which is particularly suited for high +availability environments. + + +Platform: UNKNOWN diff --git a/base/haproxy/centos/build_srpm.data b/base/haproxy/centos/build_srpm.data new file mode 100644 index 000000000..b768bf6c3 --- /dev/null +++ b/base/haproxy/centos/build_srpm.data @@ -0,0 +1,2 @@ +COPY_LIST="haproxy/*" +TIS_PATCH_VER=7 diff --git a/base/haproxy/centos/meta_patches/0001-Update-package-versioning-for-TIS-format.patch b/base/haproxy/centos/meta_patches/0001-Update-package-versioning-for-TIS-format.patch new file mode 100644 index 000000000..2e71baa97 --- /dev/null +++ b/base/haproxy/centos/meta_patches/0001-Update-package-versioning-for-TIS-format.patch @@ -0,0 +1,27 @@ +From 79f025b91d461a948ca6449eb25a11a6c89144b5 Mon Sep 17 00:00:00 2001 +From: Scott Little +Date: Mon, 2 Oct 2017 16:12:36 -0400 +Subject: [PATCH 7/7] WRS: 0001-Update-package-versioning-for-TIS-format.patch + +Conflicts: + SPECS/haproxy.spec +--- + SPECS/haproxy.spec | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/SPECS/haproxy.spec b/SPECS/haproxy.spec +index c1547ef..097aa79 100644 +--- a/SPECS/haproxy.spec ++++ b/SPECS/haproxy.spec +@@ -8,7 +8,7 @@ + + Name: haproxy + Version: 1.5.18 +-Release: 6%{?dist} ++Release: 6.el7%{?_tis_dist}.%{tis_patch_ver} + Summary: TCP/HTTP proxy and load balancer for high availability environments + + Group: System Environment/Daemons +-- +1.9.1 + diff --git a/base/haproxy/centos/meta_patches/PATCH_ORDER b/base/haproxy/centos/meta_patches/PATCH_ORDER new file mode 100644 index 000000000..87bd6af57 --- /dev/null +++ b/base/haproxy/centos/meta_patches/PATCH_ORDER @@ -0,0 +1,7 @@ +spec-include-TiS-config.patch +haproxy-spec-add-init-script.patch +spec-add-haproxy-env-var-patch.patch +meta_remove_bad_logrotate.patch +haproxy-service-file.patch +meta_add_support_for_tpm.patch +0001-Update-package-versioning-for-TIS-format.patch diff --git a/base/haproxy/centos/meta_patches/haproxy-service-file.patch b/base/haproxy/centos/meta_patches/haproxy-service-file.patch new file mode 100644 index 000000000..179b7d55f --- /dev/null +++ b/base/haproxy/centos/meta_patches/haproxy-service-file.patch @@ -0,0 +1,26 @@ +From c4d74c67ee001af849e7a30e824cc0f8e38ef948 Mon Sep 17 00:00:00 2001 +From: Scott Little +Date: Mon, 2 Oct 2017 16:12:36 -0400 +Subject: [PATCH 5/7] WRS: haproxy-service-file.patch + +--- + SOURCES/haproxy.service | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/SOURCES/haproxy.service b/SOURCES/haproxy.service +index 2d4c954..c2f1086 100644 +--- a/SOURCES/haproxy.service ++++ b/SOURCES/haproxy.service +@@ -4,7 +4,8 @@ After=syslog.target network.target + + [Service] + EnvironmentFile=/etc/sysconfig/haproxy +-ExecStart=/usr/sbin/haproxy-systemd-wrapper -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid $OPTIONS ++ExecStart=/etc/init.d/haproxy start ++ExecStop=/etc/init.d/haproxy stop + ExecReload=/bin/kill -USR2 $MAINPID + KillMode=mixed + +-- +1.9.1 + diff --git a/base/haproxy/centos/meta_patches/haproxy-spec-add-init-script.patch b/base/haproxy/centos/meta_patches/haproxy-spec-add-init-script.patch new file mode 100644 index 000000000..d38a4fc3e --- /dev/null +++ b/base/haproxy/centos/meta_patches/haproxy-spec-add-init-script.patch @@ -0,0 +1,47 @@ +From 959767df3285a81f1c5650018ed846fe90a68c9d Mon Sep 17 00:00:00 2001 +From: Scott Little +Date: Mon, 2 Oct 2017 16:12:36 -0400 +Subject: [PATCH 2/7] WRS: haproxy-spec-add-init-script.patch + +--- + SPECS/haproxy.spec | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/SPECS/haproxy.spec b/SPECS/haproxy.spec +index 42ddeb0..cbd9161 100644 +--- a/SPECS/haproxy.spec ++++ b/SPECS/haproxy.spec +@@ -21,6 +21,7 @@ Source2: %{name}.cfg + Source3: %{name}.logrotate + Source4: %{name}.sysconfig + Source5: halog.1 ++Source10: %{name}.sh + + # WRS + Source6: 503.http +@@ -81,11 +82,14 @@ popd + %{__make} install-bin DESTDIR=%{buildroot} PREFIX=%{_prefix} TARGET="linux2628" + %{__make} install-man DESTDIR=%{buildroot} PREFIX=%{_prefix} + ++mkdir -p /etc/init.d ++ + %{__install} -p -D -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/%{name}.service + %{__install} -p -D -m 0640 %{SOURCE2} %{buildroot}%{haproxy_confdir}/%{name}.cfg + %{__install} -p -D -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/logrotate.d/%{name} + %{__install} -p -D -m 0644 %{SOURCE4} %{buildroot}%{_sysconfdir}/sysconfig/%{name} + %{__install} -p -D -m 0644 %{SOURCE5} %{buildroot}%{_mandir}/man1/halog.1 ++%{__install} -p -D -m 0755 %{SOURCE10} %{buildroot}/etc/init.d/%{name} + %{__install} -d -m 0755 %{buildroot}%{haproxy_home} + %{__install} -d -m 0755 %{buildroot}%{haproxy_datadir} + %{__install} -d -m 0755 %{buildroot}%{_bindir} +@@ -149,6 +153,7 @@ fi + %{_bindir}/halog + %{_bindir}/iprange + %{_mandir}/man1/* ++/etc/init.d/%{name} + %attr(-,%{haproxy_user},%{haproxy_group}) %dir %{haproxy_home} + + # WRS +-- +1.9.1 + diff --git a/base/haproxy/centos/meta_patches/meta_add_support_for_tpm.patch b/base/haproxy/centos/meta_patches/meta_add_support_for_tpm.patch new file mode 100644 index 000000000..a87dd87ca --- /dev/null +++ b/base/haproxy/centos/meta_patches/meta_add_support_for_tpm.patch @@ -0,0 +1,42 @@ +From a5329bf1468f55c8d6b983e5999c12139dc7479d Mon Sep 17 00:00:00 2001 +From: Scott Little +Date: Mon, 2 Oct 2017 16:12:36 -0400 +Subject: [PATCH 6/7] WRS: meta_add_support_for_tpm.patch + +--- + SPECS/haproxy.spec | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/SPECS/haproxy.spec b/SPECS/haproxy.spec +index 3d112e0..c1547ef 100644 +--- a/SPECS/haproxy.spec ++++ b/SPECS/haproxy.spec +@@ -30,6 +30,7 @@ Patch1: iprange-return-type.patch + Patch2: haproxy-tcp-user-timeout.patch + Patch3: haproxy-systemd-wrapper-exit-code.patch + Patch4: haproxy-env-var.patch ++Patch5: haproxy-tpm-support.patch + + BuildRequires: pcre-devel + BuildRequires: zlib-devel +@@ -41,6 +42,9 @@ Requires(post): systemd + Requires(preun): systemd + Requires(postun): systemd + ++Requires: tpm2-openssl-engine ++ ++ + %description + HAProxy is a TCP/HTTP reverse proxy which is particularly suited for high + availability environments. Indeed, it can: +@@ -62,6 +66,7 @@ availability environments. Indeed, it can: + %patch2 -p1 + %patch3 -p1 + %patch4 -p1 ++%patch5 -p1 + + %build + regparm_opts= +-- +1.9.1 + diff --git a/base/haproxy/centos/meta_patches/meta_remove_bad_logrotate.patch b/base/haproxy/centos/meta_patches/meta_remove_bad_logrotate.patch new file mode 100644 index 000000000..f99a42395 --- /dev/null +++ b/base/haproxy/centos/meta_patches/meta_remove_bad_logrotate.patch @@ -0,0 +1,40 @@ +From 3eac39ba534b92dbcb3a898442b09be7acc389bb Mon Sep 17 00:00:00 2001 +From: Scott Little +Date: Mon, 2 Oct 2017 16:12:36 -0400 +Subject: [PATCH 4/7] WRS: meta_remove_bad_logrotate.patch + +--- + SPECS/haproxy.spec | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/SPECS/haproxy.spec b/SPECS/haproxy.spec +index af94d46..3d112e0 100644 +--- a/SPECS/haproxy.spec ++++ b/SPECS/haproxy.spec +@@ -18,7 +18,6 @@ URL: http://www.haproxy.org/ + Source0: http://www.haproxy.org/download/1.5/src/haproxy-%{version}.tar.gz + Source1: %{name}.service + Source2: %{name}.cfg +-Source3: %{name}.logrotate + Source4: %{name}.sysconfig + Source5: halog.1 + Source10: %{name}.sh +@@ -88,7 +87,6 @@ mkdir -p /etc/init.d + + %{__install} -p -D -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/%{name}.service + %{__install} -p -D -m 0640 %{SOURCE2} %{buildroot}%{haproxy_confdir}/%{name}.cfg +-%{__install} -p -D -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/logrotate.d/%{name} + %{__install} -p -D -m 0644 %{SOURCE4} %{buildroot}%{_sysconfdir}/sysconfig/%{name} + %{__install} -p -D -m 0644 %{SOURCE5} %{buildroot}%{_mandir}/man1/halog.1 + %{__install} -p -D -m 0755 %{SOURCE10} %{buildroot}/etc/init.d/%{name} +@@ -147,7 +145,6 @@ fi + %dir %{haproxy_datadir} + %{haproxy_datadir}/* + %config(noreplace) %{haproxy_confdir}/%{name}.cfg +-%config(noreplace) %{_sysconfdir}/logrotate.d/%{name} + %config(noreplace) %{_sysconfdir}/sysconfig/%{name} + %{_unitdir}/%{name}.service + %{_sbindir}/%{name} +-- +1.9.1 + diff --git a/base/haproxy/centos/meta_patches/spec-add-haproxy-env-var-patch.patch b/base/haproxy/centos/meta_patches/spec-add-haproxy-env-var-patch.patch new file mode 100644 index 000000000..95eb17e44 --- /dev/null +++ b/base/haproxy/centos/meta_patches/spec-add-haproxy-env-var-patch.patch @@ -0,0 +1,32 @@ +From 2e37207c026047e2ce1bc9a5278faddfea81c011 Mon Sep 17 00:00:00 2001 +From: Scott Little +Date: Mon, 2 Oct 2017 16:12:36 -0400 +Subject: [PATCH 3/7] WRS: spec-add-haproxy-env-var-patch.patch + +--- + SPECS/haproxy.spec | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/SPECS/haproxy.spec b/SPECS/haproxy.spec +index cbd9161..af94d46 100644 +--- a/SPECS/haproxy.spec ++++ b/SPECS/haproxy.spec +@@ -30,6 +30,7 @@ Patch0: halog-unused-variables.patch + Patch1: iprange-return-type.patch + Patch2: haproxy-tcp-user-timeout.patch + Patch3: haproxy-systemd-wrapper-exit-code.patch ++Patch4: haproxy-env-var.patch + + BuildRequires: pcre-devel + BuildRequires: zlib-devel +@@ -61,6 +62,7 @@ availability environments. Indeed, it can: + %patch1 -p0 + %patch2 -p1 + %patch3 -p1 ++%patch4 -p1 + + %build + regparm_opts= +-- +1.9.1 + diff --git a/base/haproxy/centos/meta_patches/spec-include-TiS-config.patch b/base/haproxy/centos/meta_patches/spec-include-TiS-config.patch new file mode 100644 index 000000000..3cff88440 --- /dev/null +++ b/base/haproxy/centos/meta_patches/spec-include-TiS-config.patch @@ -0,0 +1,58 @@ +From 419d06285552bc31dce214d37edb925b4a82c68b Mon Sep 17 00:00:00 2001 +From: Scott Little +Date: Mon, 2 Oct 2017 16:12:36 -0400 +Subject: [PATCH 1/7] WRS: spec-include-TiS-config.patch + +--- + SPECS/haproxy.spec | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/SPECS/haproxy.spec b/SPECS/haproxy.spec +index b4dde9e..42ddeb0 100644 +--- a/SPECS/haproxy.spec ++++ b/SPECS/haproxy.spec +@@ -22,6 +22,9 @@ Source3: %{name}.logrotate + Source4: %{name}.sysconfig + Source5: halog.1 + ++# WRS ++Source6: 503.http ++ + Patch0: halog-unused-variables.patch + Patch1: iprange-return-type.patch + Patch2: haproxy-tcp-user-timeout.patch +@@ -79,7 +82,7 @@ popd + %{__make} install-man DESTDIR=%{buildroot} PREFIX=%{_prefix} + + %{__install} -p -D -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/%{name}.service +-%{__install} -p -D -m 0644 %{SOURCE2} %{buildroot}%{haproxy_confdir}/%{name}.cfg ++%{__install} -p -D -m 0640 %{SOURCE2} %{buildroot}%{haproxy_confdir}/%{name}.cfg + %{__install} -p -D -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/logrotate.d/%{name} + %{__install} -p -D -m 0644 %{SOURCE4} %{buildroot}%{_sysconfdir}/sysconfig/%{name} + %{__install} -p -D -m 0644 %{SOURCE5} %{buildroot}%{_mandir}/man1/halog.1 +@@ -106,6 +109,11 @@ do + %{__rm} -f $textfile.old + done + ++# WRS ++%{__install} -d 755 %{buildroot}/etc/haproxy/errors/ ++%{__install} -m 755 %{SOURCE6} %{buildroot}/etc/haproxy/errors/503.http ++ ++ + %pre + getent group %{haproxy_group} >/dev/null || groupadd -f -g 188 -r %{haproxy_group} + if ! getent passwd %{haproxy_user} >/dev/null ; then +@@ -143,6 +151,10 @@ fi + %{_mandir}/man1/* + %attr(-,%{haproxy_user},%{haproxy_group}) %dir %{haproxy_home} + ++# WRS ++%dir /etc/haproxy/errors/ ++/etc/haproxy/errors/* ++ + %changelog + * Mon May 01 2017 Ryan O'Hara - 1.5.18-6 + - Use KillMode=mixed in systemd service file (#1444709) +-- +1.9.1 + diff --git a/base/haproxy/centos/srpm_path b/base/haproxy/centos/srpm_path new file mode 100644 index 000000000..fb995db93 --- /dev/null +++ b/base/haproxy/centos/srpm_path @@ -0,0 +1 @@ +mirror:Source/haproxy-1.5.18-6.el7.src.rpm diff --git a/base/haproxy/haproxy/503.http b/base/haproxy/haproxy/503.http new file mode 100644 index 000000000..367d4254f --- /dev/null +++ b/base/haproxy/haproxy/503.http @@ -0,0 +1,9 @@ +HTTP/1.0 503 Service Unavailable +Cache-Control: no-cache +Connection: close +Content-Type: text/html + +

503 Service Unavailable

+No server is available to handle this request. + + diff --git a/base/haproxy/haproxy/haproxy-env-var.patch b/base/haproxy/haproxy/haproxy-env-var.patch new file mode 100644 index 000000000..93d1749b8 --- /dev/null +++ b/base/haproxy/haproxy/haproxy-env-var.patch @@ -0,0 +1,245 @@ +Index: haproxy-1.5.11/src/cfgparse.c +=================================================================== +--- haproxy-1.5.11.orig/src/cfgparse.c ++++ haproxy-1.5.11/src/cfgparse.c +@@ -5789,12 +5789,19 @@ out: + */ + int readcfgfile(const char *file) + { +- char thisline[LINESIZE]; ++ char *thisline; ++ int linesize = LINESIZE; + FILE *f; + int linenum = 0; + int err_code = 0; + struct cfg_section *cs = NULL; + struct cfg_section *ics; ++ int readbytes = 0; ++ ++ if ((thisline = malloc(sizeof(*thisline) * linesize)) == NULL) { ++ Alert("parsing [%s] : out of memory.\n", file); ++ return -1; ++ } + + /* Register internal sections */ + if (!cfg_register_section("listen", cfg_parse_listen) || +@@ -5810,11 +5817,14 @@ int readcfgfile(const char *file) + if ((f=fopen(file,"r")) == NULL) + return -1; + +- while (fgets(thisline, sizeof(thisline), f) != NULL) { ++next_line: ++ while (fgets(thisline + readbytes, linesize - readbytes, f) != NULL) { + int arg, kwm = KWM_STD; + char *end; + char *args[MAX_LINE_ARGS + 1]; + char *line = thisline; ++ int dquote = 0; /* double quote */ ++ int squote = 0; /* simple quote */ + + linenum++; + +@@ -5824,11 +5834,25 @@ int readcfgfile(const char *file) + /* Check if we reached the limit and the last char is not \n. + * Watch out for the last line without the terminating '\n'! + */ +- Alert("parsing [%s:%d]: line too long, limit: %d.\n", +- file, linenum, (int)sizeof(thisline)-1); +- err_code |= ERR_ALERT | ERR_FATAL; ++ char *newline; ++ int newlinesize = linesize * 2; ++ ++ newline = realloc(thisline, sizeof(*thisline) * newlinesize); ++ if (newline == NULL) { ++ Alert("parsing [%s:%d]: line too long, cannot allocate memory.\n", ++ file, linenum); ++ err_code |= ERR_ALERT | ERR_FATAL; ++ continue; ++ } ++ ++ readbytes = linesize - 1; ++ linesize = newlinesize; ++ thisline = newline; ++ continue; + } + ++ readbytes = 0; ++ + /* skip leading spaces */ + while (isspace((unsigned char)*line)) + line++; +@@ -5837,10 +5861,26 @@ int readcfgfile(const char *file) + args[arg] = line; + + while (*line && arg < MAX_LINE_ARGS) { +- /* first, we'll replace \\, \, \#, \r, \n, \t, \xXX with their +- * C equivalent value. Other combinations left unchanged (eg: \1). +- */ +- if (*line == '\\') { ++ if (*line == '"' && !squote) { /* double quote outside single quotes */ ++ if (dquote) ++ dquote = 0; ++ else ++ dquote = 1; ++ memmove(line, line + 1, end - line); ++ end--; ++ } ++ else if (*line == '\'' && !dquote) { /* single quote outside double quotes */ ++ if (squote) ++ squote = 0; ++ else ++ squote = 1; ++ memmove(line, line + 1, end - line); ++ end--; ++ } ++ else if (*line == '\\' && !squote) { ++ /* first, we'll replace \\, \, \#, \r, \n, \t, \xXX with their ++ * C equivalent value. Other combinations left unchanged (eg: \1). ++ */ + int skip = 0; + if (line[1] == ' ' || line[1] == '\\' || line[1] == '#') { + *line = line[1]; +@@ -5872,6 +5912,15 @@ int readcfgfile(const char *file) + Alert("parsing [%s:%d] : invalid or incomplete '\\x' sequence in '%s'.\n", file, linenum, args[0]); + err_code |= ERR_ALERT | ERR_FATAL; + } ++ } else if (line[1] == '"') { ++ *line = '"'; ++ skip = 1; ++ } else if (line[1] == '\'') { ++ *line = '\''; ++ skip = 1; ++ } else if (line[1] == '$' && dquote) { /* escaping of $ only inside double quotes */ ++ *line = '$'; ++ skip = 1; + } + if (skip) { + memmove(line + 1, line + 1 + skip, end - (line + skip)); +@@ -5879,23 +5928,117 @@ int readcfgfile(const char *file) + } + line++; + } +- else if (*line == '#' || *line == '\n' || *line == '\r') { ++ else if ((!squote && !dquote && *line == '#') || *line == '\n' || *line == '\r') { + /* end of string, end of loop */ + *line = 0; + break; + } +- else if (isspace((unsigned char)*line)) { ++ else if (!squote && !dquote && isspace((unsigned char)*line)) { + /* a non-escaped space is an argument separator */ + *line++ = '\0'; + while (isspace((unsigned char)*line)) + line++; + args[++arg] = line; + } ++ else if (dquote && *line == '$') { ++ /* environment variables are evaluated inside double quotes */ ++ char *var_beg; ++ char *var_end; ++ char save_char; ++ char *value; ++ int val_len; ++ int newlinesize; ++ int braces = 0; ++ ++ var_beg = line + 1; ++ var_end = var_beg; ++ ++ if (*var_beg == '{') { ++ var_beg++; ++ var_end++; ++ braces = 1; ++ } ++ ++ if (!isalpha((int)(unsigned char)*var_beg) && *var_beg != '_') { ++ Alert("parsing [%s:%d] : Variable expansion: Unrecognized character '%c' in variable name.\n", file, linenum, *var_beg); ++ err_code |= ERR_ALERT | ERR_FATAL; ++ goto next_line; /* skip current line */ ++ } ++ ++ while (isalnum((int)(unsigned char)*var_end) || *var_end == '_') ++ var_end++; ++ ++ save_char = *var_end; ++ *var_end = '\0'; ++ value = getenv(var_beg); ++ *var_end = save_char; ++ val_len = value ? strlen(value) : 0; ++ ++ if (braces) { ++ if (*var_end == '}') { ++ var_end++; ++ braces = 0; ++ } else { ++ Alert("parsing [%s:%d] : Variable expansion: Mismatched braces.\n", file, linenum); ++ err_code |= ERR_ALERT | ERR_FATAL; ++ goto next_line; /* skip current line */ ++ } ++ } ++ ++ newlinesize = (end - thisline) - (var_end - line) + val_len + 1; ++ ++ /* if not enough space in thisline */ ++ if (newlinesize > linesize) { ++ char *newline; ++ ++ newline = realloc(thisline, newlinesize * sizeof(*thisline)); ++ if (newline == NULL) { ++ Alert("parsing [%s:%d] : Variable expansion: Not enough memory.\n", file, linenum); ++ err_code |= ERR_ALERT | ERR_FATAL; ++ goto next_line; /* slip current line */ ++ } ++ /* recompute pointers if realloc returns a new pointer */ ++ if (newline != thisline) { ++ int i; ++ int diff; ++ ++ for (i = 0; i <= arg; i++) { ++ diff = args[i] - thisline; ++ args[i] = newline + diff; ++ } ++ ++ diff = var_end - thisline; ++ var_end = newline + diff; ++ diff = end - thisline; ++ end = newline + diff; ++ diff = line - thisline; ++ line = newline + diff; ++ thisline = newline; ++ } ++ linesize = newlinesize; ++ } ++ ++ /* insert value inside the line */ ++ memmove(line + val_len, var_end, end - var_end + 1); ++ memcpy(line, value, val_len); ++ end += val_len - (var_end - line); ++ line += val_len; ++ } + else { + line++; + } + } + ++ if (dquote) { ++ Alert("parsing [%s:%d] : Mismatched double quotes.\n", file, linenum); ++ err_code |= ERR_ALERT | ERR_FATAL; ++ } ++ ++ if (squote) { ++ Alert("parsing [%s:%d] : Mismatched simple quotes.\n", file, linenum); ++ err_code |= ERR_ALERT | ERR_FATAL; ++ } ++ + /* empty line */ + if (!**args) + continue; +@@ -5966,6 +6109,7 @@ int readcfgfile(const char *file) + break; + } + cursection = NULL; ++ free(thisline); + fclose(f); + return err_code; + } diff --git a/base/haproxy/haproxy/haproxy-tpm-support.patch b/base/haproxy/haproxy/haproxy-tpm-support.patch new file mode 100644 index 000000000..eb4545da7 --- /dev/null +++ b/base/haproxy/haproxy/haproxy-tpm-support.patch @@ -0,0 +1,319 @@ +From a2a25214f6f4913b774bdd6c0b80d3ea424d3a1b Mon Sep 17 00:00:00 2001 +From: Kam Nasim +Date: Wed, 22 Mar 2017 12:07:24 -0400 +Subject: [PATCH] haproxy tpm support + +--- + include/types/global.h | 13 +++++ + src/cfgparse.c | 28 ++++++++++ + src/haproxy.c | 26 ++++++++- + src/ssl_sock.c | 147 +++++++++++++++++++++++++++++++++++++++++++------ + 4 files changed, 197 insertions(+), 17 deletions(-) + +diff --git a/include/types/global.h b/include/types/global.h +index f1525ae..2e9c077 100644 +--- a/include/types/global.h ++++ b/include/types/global.h +@@ -30,6 +30,10 @@ + #include + #include + ++#ifdef USE_OPENSSL ++#include ++#endif ++ + #ifndef UNIX_MAX_PATH + #define UNIX_MAX_PATH 108 + #endif +@@ -71,6 +75,14 @@ enum { + SSL_SERVER_VERIFY_REQUIRED = 1, + }; + ++// WRS: Define a new TPM configuration structure ++struct tpm_conf { ++ char *tpm_object; ++ char *tpm_engine; ++ EVP_PKEY *tpm_key; ++ ENGINE *tpm_engine_ref; ++}; ++ + /* FIXME : this will have to be redefined correctly */ + struct global { + #ifdef USE_OPENSSL +@@ -87,6 +99,7 @@ struct global { + char *connect_default_ciphers; + int listen_default_ssloptions; + int connect_default_ssloptions; ++ struct tpm_conf tpm; // tpm configuration + #endif + unsigned int ssl_server_verify; /* default verify mode on servers side */ + struct freq_ctr conn_per_sec; +diff --git a/src/cfgparse.c b/src/cfgparse.c +index 6a7f80c..3bc6e79 100644 +--- a/src/cfgparse.c ++++ b/src/cfgparse.c +@@ -1541,6 +1541,34 @@ int cfg_parse_global(const char *file, int linenum, char **args, int kwm) + goto out; + #endif + } ++ else if (!strcmp(args[0], "tpm-object")) { ++ if (global.tpm.tpm_object) { ++ free(global.tpm.tpm_object); ++ } ++#ifdef USE_OPENSSL ++ if (*(args[1]) && (access(args[1], F_OK) != -1)) { ++ global.tpm.tpm_object = strdup(args[1]); ++ } ++#else ++ Alert("parsing [%s:%d] : '%s' is not implemented.\n", file, linenum, args[0]); ++ err_code |= ERR_ALERT | ERR_FATAL; ++ goto out; ++#endif ++ } ++ else if (!strcmp(args[0], "tpm-engine")) { ++ if (global.tpm.tpm_engine) { ++ free(global.tpm.tpm_engine); ++ } ++#ifdef USE_OPENSSL ++ if (*(args[1]) && (access(args[1], F_OK) != -1)) { ++ global.tpm.tpm_engine = strdup(args[1]); ++ } ++#else ++ Alert("parsing [%s:%d] : '%s' is not implemented.\n", file, linenum, args[0]); ++ err_code |= ERR_ALERT | ERR_FATAL; ++ goto out; ++#endif ++ } + else { + struct cfg_kw_list *kwl; + int index; +diff --git a/src/haproxy.c b/src/haproxy.c +index 862697d..2a1a0dc 100644 +--- a/src/haproxy.c ++++ b/src/haproxy.c +@@ -959,6 +959,24 @@ static void deinit_stick_rules(struct list *rules) + } + } + ++static void deinit_tpm_engine() ++{ ++ /* ++ * if the tpm engine is present then ++ * deinit it, this is needed to ++ * flush the TPM key handle from TPM memory ++ */ ++ if (global.tpm.tpm_engine_ref) { ++ ENGINE_finish(global.tpm.tpm_engine_ref); ++ } ++ ++ if (global.tpm.tpm_key) { ++ EVP_PKEY_free(global.tpm.tpm_key); ++ } ++ free(global.tpm.tpm_engine); global.tpm.tpm_engine = NULL; ++ free(global.tpm.tpm_object); global.tpm.tpm_object = NULL; ++} ++ + void deinit(void) + { + struct proxy *p = proxy, *p0; +@@ -1218,7 +1236,13 @@ void deinit(void) + + free(uap); + } +- ++ ++ /* if HAProxy was in TPM mode then deinit ++ * that configuration as well. ++ */ ++ if (global.tpm.tpm_object && global.tpm.tpm_object != '\0') ++ deinit_tpm_engine(); ++ + userlist_free(userlist); + + protocol_unbind_all(); +diff --git a/src/ssl_sock.c b/src/ssl_sock.c +index ead4c7b..4e16026 100644 +--- a/src/ssl_sock.c ++++ b/src/ssl_sock.c +@@ -50,6 +50,7 @@ + #ifndef OPENSSL_NO_DH + #include + #endif ++#include + + #include + #include +@@ -1115,6 +1116,80 @@ end: + return ret; + } + ++/* ++ * initialize the TPM engine and load the ++ * TPM object as private key within the Engine. ++ * Only do this for the first bind since TPM can ++ * only load 3-4 contexes before it runs out of memory ++ */ ++static int ssl_sock_load_tpm_key(SSL_CTX *ctx, char **err) { ++ if (!global.tpm.tpm_object || global.tpm.tpm_object[0] == '\0') { ++ /* not in TPM mode */ ++ return -1; ++ } ++ if (!global.tpm.tpm_key) { ++ Warning ("Could not find tpm_key; initializing engine\n"); ++ /* no key present; load the dynamic TPM engine */ ++ if (global.tpm.tpm_engine && global.tpm.tpm_engine[0]) { ++ ENGINE_load_dynamic(); ++ ENGINE *engine = ENGINE_by_id("dynamic"); ++ if (!engine) { ++ memprintf(err, "%s Unable to load the dynamic engine " ++ "(needed for loading custom TPM engine)\n", ++ err && *err ? *err : ""); ++ return 1; ++ } ++ ++ ENGINE_ctrl_cmd_string(engine, "SO_PATH", global.tpm.tpm_engine, 0); ++ ENGINE_ctrl_cmd_string(engine, "LOAD", NULL, 0); ++ /* stow away for ENGINE cleanup */ ++ global.tpm.tpm_engine_ref = engine; ++ ++ if (ENGINE_init(engine) != 1) { ++ const char *error_str = ERR_error_string(ERR_get_error(), NULL); ++ memprintf(err, "%s Unable to init the TPM engine (%s). Err: %s\n", ++ err && *err ? *err : "", ++ global.tpm.tpm_engine, error_str); ++ goto tpm_err; ++ } ++ EVP_PKEY *pkey = ENGINE_load_private_key(engine, ++ global.tpm.tpm_object, ++ NULL, NULL); ++ if (!pkey) { ++ const char *error_str = ERR_error_string(ERR_get_error(), NULL); ++ memprintf(err, "%s Unable to load TPM object (%s). Err: %s\n", ++ err && *err ? *err : "", ++ global.tpm.tpm_object, error_str); ++ goto tpm_err; ++ } ++ global.tpm.tpm_key = pkey; ++ } ++ else { /* no TPM engine found */ ++ memprintf(err, "%s TPM engine option not set when TPM mode expected\n", ++ err && *err ? *err : ""); ++ goto tpm_err; ++ } ++ } ++ ++ if (SSL_CTX_use_PrivateKey(ctx, global.tpm.tpm_key) <= 0){ ++ const char *error_str = ERR_error_string(ERR_get_error(), ++ NULL); ++ memprintf(err, "%s Invalid private key provided from TPM engine(%s). Err: %s\n", ++ err && *err ? *err : "", ++ global.tpm.tpm_object, error_str); ++ goto tpm_err; ++ } ++ ++ return 0; ++ ++tpm_err: ++ ENGINE_finish(global.tpm.tpm_engine_ref); ++ global.tpm.tpm_engine_ref = NULL; ++ EVP_PKEY_free(global.tpm.tpm_key); ++ global.tpm.tpm_key = NULL; ++ return 1; ++} ++ + static int ssl_sock_load_cert_file(const char *path, struct bind_conf *bind_conf, struct proxy *curproxy, char **sni_filter, int fcount, char **err) + { + int ret; +@@ -1127,26 +1202,54 @@ static int ssl_sock_load_cert_file(const char *path, struct bind_conf *bind_conf + return 1; + } + +- if (SSL_CTX_use_PrivateKey_file(ctx, path, SSL_FILETYPE_PEM) <= 0) { +- memprintf(err, "%sunable to load SSL private key from PEM file '%s'.\n", +- err && *err ? *err : "", path); +- SSL_CTX_free(ctx); +- return 1; ++ /* NOTE (knasim-wrs): US93721: TPM support ++ * This SSL context applies to SSL frontends only. ++ * If the TPM option is set then the Private key ++ * is stored in TPM. ++ * ++ * Launch the OpenSSL TPM engine and load the TPM ++ * Private Key. The Public key will still be located ++ * at the provided path and needs to be loaded as ++ * per usual. ++ */ ++ if (global.tpm.tpm_object) { ++ ret = ssl_sock_load_tpm_key(ctx, err); ++ if (ret > 0) { ++ /* tpm configuration failed */ ++ SSL_CTX_free(ctx); ++ return 1; ++ } + } +- +- ret = ssl_sock_load_cert_chain_file(ctx, path, bind_conf, sni_filter, fcount); +- if (ret <= 0) { +- memprintf(err, "%sunable to load SSL certificate from PEM file '%s'.\n", +- err && *err ? *err : "", path); +- if (ret < 0) /* serious error, must do that ourselves */ ++ else { /* non TPM mode */ ++ if (SSL_CTX_use_PrivateKey_file(ctx, path, SSL_FILETYPE_PEM) <= 0) { ++ memprintf(err, "%sunable to load SSL private key from PEM file '%s'.\n", ++ err && *err ? *err : "", path); + SSL_CTX_free(ctx); +- return 1; ++ return 1; ++ } + } + +- if (SSL_CTX_check_private_key(ctx) <= 0) { +- memprintf(err, "%sinconsistencies between private key and certificate loaded from PEM file '%s'.\n", +- err && *err ? *err : "", path); +- return 1; ++ ret = ssl_sock_load_cert_chain_file(ctx, path, bind_conf, sni_filter, fcount); ++ if (ret <= 0) { ++ memprintf(err, "%sunable to load SSL certificate from PEM file '%s'.\n", ++ err && *err ? *err : "", path); ++ if (ret < 0) /* serious error, must do that ourselves */ ++ SSL_CTX_free(ctx); ++ return 1; ++ } ++ ++ /* ++ * only match the private key to the public key ++ * for non TPM mode. This op would never work for ++ * TPM since the private key has been wrapped, whereas ++ * the public key is still the original one. ++ */ ++ if (!global.tpm.tpm_object) { ++ if (SSL_CTX_check_private_key(ctx) <= 0) { ++ memprintf(err, "%sinconsistencies between private key and certificate loaded from PEM file '%s'.\n", ++ err && *err ? *err : "", path); ++ return 1; ++ } + } + + /* we must not free the SSL_CTX anymore below, since it's already in +@@ -1725,6 +1828,18 @@ int ssl_sock_prepare_srv_ctx(struct server *srv, struct proxy *curproxy) + cfgerr++; + return cfgerr; + } ++ ++ /* NOTE (knasim-wrs): US93721: TPM support ++ * This SSL context applies to SSL backends only. ++ * Since Titanium backends don't support SSL, there ++ * is no need to offload these keys in TPM or reuse the ++ * same TPM key for the frontend engine. ++ * ++ * If SSL backends are to be supported in the future, ++ * over TPM, then create a new TPM Engine context and ++ * load the backend key in TPM, in a similar fashion to ++ * the frontend key. ++ */ + if (srv->ssl_ctx.client_crt) { + if (SSL_CTX_use_PrivateKey_file(srv->ssl_ctx.ctx, srv->ssl_ctx.client_crt, SSL_FILETYPE_PEM) <= 0) { + Alert("config : %s '%s', server '%s': unable to load SSL private key from PEM file '%s'.\n", +-- +1.8.3.1 + diff --git a/base/haproxy/haproxy/haproxy.cfg b/base/haproxy/haproxy/haproxy.cfg new file mode 100755 index 000000000..f0f0f1716 --- /dev/null +++ b/base/haproxy/haproxy/haproxy.cfg @@ -0,0 +1,80 @@ +# this config needs haproxy-1.1.28 or haproxy-1.2.1 + +global + log 127.0.0.1 local0 + log 127.0.0.1 local1 notice + #log loghost local0 info + maxconn 4096 + chroot /usr/share/haproxy + uid 99 + gid 99 + daemon + #debug + #quiet + +defaults + log global + mode http + option httplog + option dontlognull + retries 3 + option redispatch + maxconn 2000 + timeout connect 5000 + timeout client 50000 + timeout server 50000 + +listen appli1-rewrite 0.0.0.0:10001 + cookie SERVERID rewrite + balance roundrobin + server app1_1 192.168.34.23:8080 cookie app1inst1 check inter 2000 rise 2 fall 5 + server app1_2 192.168.34.32:8080 cookie app1inst2 check inter 2000 rise 2 fall 5 + server app1_3 192.168.34.27:8080 cookie app1inst3 check inter 2000 rise 2 fall 5 + server app1_4 192.168.34.42:8080 cookie app1inst4 check inter 2000 rise 2 fall 5 + +listen appli2-insert 0.0.0.0:10002 + option httpchk + balance roundrobin + cookie SERVERID insert indirect nocache + server inst1 192.168.114.56:80 cookie server01 check inter 2000 fall 3 + server inst2 192.168.114.56:81 cookie server02 check inter 2000 fall 3 + capture cookie vgnvisitor= len 32 + + option httpclose # disable keep-alive + rspidel ^Set-cookie:\ IP= # do not let this cookie tell our internal IP address + +listen appli3-relais 0.0.0.0:10003 + dispatch 192.168.135.17:80 + +listen appli4-backup 0.0.0.0:10004 + option httpchk /index.html + option persist + balance roundrobin + server inst1 192.168.114.56:80 check inter 2000 fall 3 + server inst2 192.168.114.56:81 check inter 2000 fall 3 backup + +listen ssl-relay 0.0.0.0:8443 + option ssl-hello-chk + balance source + server inst1 192.168.110.56:443 check inter 2000 fall 3 + server inst2 192.168.110.57:443 check inter 2000 fall 3 + server back1 192.168.120.58:443 backup + +listen appli5-backup 0.0.0.0:10005 + option httpchk * + balance roundrobin + cookie SERVERID insert indirect nocache + server inst1 192.168.114.56:80 cookie server01 check inter 2000 fall 3 + server inst2 192.168.114.56:81 cookie server02 check inter 2000 fall 3 + server inst3 192.168.114.57:80 backup check inter 2000 fall 3 + capture cookie ASPSESSION len 32 + timeout server 20000 + + option httpclose # disable keep-alive + option checkcache # block response if set-cookie & cacheable + + rspidel ^Set-cookie:\ IP= # do not let this cookie tell our internal IP address + + errorloc 502 http://192.168.114.58/error502.html + errorfile 503 /etc/haproxy/errors/503.http + diff --git a/base/haproxy/haproxy/haproxy.sh b/base/haproxy/haproxy/haproxy.sh new file mode 100755 index 000000000..560480e40 --- /dev/null +++ b/base/haproxy/haproxy/haproxy.sh @@ -0,0 +1,120 @@ +#!/bin/sh + +### BEGIN INIT INFO +# Provides: HA-Proxy +# Required-Start: networking +# Required-Stop: networking +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: HA-Proxy TCP/HTTP reverse proxy +# Description: HA-Proxy is a TCP/HTTP reverse proxy +### END INIT INFO + +PATH=/sbin:/bin:/usr/sbin:/usr/bin +DAEMON=/usr/sbin/haproxy +NAME=haproxy +DESC="HA-Proxy TCP/HTTP reverse proxy" +PIDFILE="/var/run/$NAME.pid" +TPM_DATA_DIR="/var/run/TPM_haproxy/" +OPTS="-D -f /etc/haproxy/haproxy.cfg -p $PIDFILE" +RETVAL=0 + +# This is only needed till TPM In-Kernel +# ResourceMgr comes in +remove_TPM_transients () { + _HANDLES=`find $TPM_DATA_DIR -type f -name "hp*.bin" -printf "%f "` + for handle in $_HANDLES; do + handle_addr=`echo $handle | sed 's/hp\([0-9]*\)\.bin/\1/g'` + tss2_flushcontext -ha $handle_addr &> /dev/null + done + rm -f $TPM_DATA_DIR/* +} + +start() { + if [ -e $PIDFILE ]; then + PIDDIR=/proc/$(cat $PIDFILE) + if [ -d $PIDDIR ]; then + echo "$DESC already running." + return + else + echo "Removing stale PID file $PIDFILE" + rm -f $PIDFILE + fi + fi + + # TODO: This is a temporary workaround till + # we eventually add a resource manager for TPM + mkdir -p $TPM_DATA_DIR + + echo -n "Starting $NAME: " + + TPM_DATA_DIR=$TPM_DATA_DIR start-stop-daemon --start --pidfile $PIDFILE -x "$DAEMON" -- $OPTS + RETVAL=$? + if [ $RETVAL -eq 0 ]; then + echo "done." + else + remove_TPM_transients + echo "failed." + fi +} + +stop() { + if [ ! -e $PIDFILE ]; then return; fi + + echo -n "Stopping $DESC..." + + start-stop-daemon --stop --quiet --retry 3 --oknodo --pidfile $PIDFILE -x "$DAEMON" + if [ -n "`pidof $DAEMON`" ] ; then + pkill -KILL -f $DAEMON + fi + echo "done." + rm -f $PIDFILE + rm -f /var/lock/subsys/$NAME + remove_TPM_transients +} + +status() +{ + pid=`cat $PIDFILE 2>/dev/null` + if [ -n "$pid" ]; then + if ps -p $pid &>/dev/null ; then + echo "$DESC is running" + RETVAL=0 + return + else + RETVAL=1 + fi + fi + echo "$DESC is not running" + RETVAL=1 +} + +check() { + /usr/sbin/$NAME -c -q -V -f /etc/$NAME/$NAME.cfg +} + +# See how we were called. +case "$1" in + start) + start + ;; + stop) + stop + ;; + restart|force-reload|reload) + stop + start + ;; + status) + status + ;; + check) + check + ;; + *) + echo "Usage: $0 {start|stop|force-reload|restart|reload|status|check}" + RETVAL=1 + ;; +esac + +exit $RETVAL diff --git a/centos_pkg_dirs b/centos_pkg_dirs index bd6a491fe..e2a494134 100644 --- a/centos_pkg_dirs +++ b/centos_pkg_dirs @@ -131,3 +131,4 @@ base/cgcs-users base/cluster-resource-agents base/libfdt base/bash +base/haproxy